CerbiStreamGA

The runtime
enforcement
engine.

CerbiStream is the .NET logging governance library that runs in-process inside your application. It intercepts every log event at emission time, evaluates your governance profile, and blocks or masks sensitive data before it reaches any downstream destination.

Get from NuGetBook a Demo
Works with MEL, Serilog, NLog
No call-site rewrites
OSS (MIT)

Application

Your .NET service

Logs emitted normally via MEL, Serilog, or NLog. No call-site changes.

Enforcement Engine

CerbiStream — In-Process

Runtime enforcement engine

JSON governance profile evaluated at emission time. Sensitive fields blocked or masked. Violations tagged.

Governed payload only

Clean, policy-compliant event

Redacted fields never enter your logging pipeline.

Your existing destinations

SplunkDatadogAzure MonitorElasticOTELSeq
What CerbiStream does

Governance without friction.

Sits between your logging framework and your logging destinations. No infrastructure changes. No call-site rewrites.

Works with MEL, Serilog, and NLog

Plugs into all three major .NET logging frameworks as a native provider. No wrapper libraries. No new abstractions.

No call-site rewrites

Existing log statements are untouched. Governance enforced at the provider level — completely transparent to application code.

JSON governance profiles

Human-readable cerbi.json files. Version-controlled with your code. No DSL to learn. No vendor lock-in.

Runtime enforcement before ingestion

Every log event evaluated at emission time — before it reaches Splunk, Datadog, Azure Monitor, or any other sink.

Build-time validation / CI support

Roslyn analyzer flags governance issues during standard dotnet build. Policy drift caught before it ships.

In-process, zero external calls

CerbiStream runs entirely inside your application process. No external relay, no additional network hops.

Blocks PHI, PII, secrets, and credentials

Forbidden fields are blocked or masked at emission. Schema violations are tagged. Nothing sensitive continues downstream.

Violation tagging and metadata

Every event carries governance metadata — profile applied, enforcement state, violations, score — for downstream traceability.

Setup

One line. Full governance.

Program.cs
// Program.cs — one line of setup
builder.Logging.AddCerbiStream();

// Or use preset modes:
.EnableDeveloperMode()   // Console on, queue off
.ForProduction()         // Queue on, telemetry on
.ForTesting()            // Console on, governance on

// Override via environment variables:
// CERBISTREAM_MODE=production
// CERBISTREAM_CONSOLE_OUTPUT=true
// CERBISTREAM_QUEUE_ENABLED=false
cerbi.json — governance profile
{
  "Version": "1.0.0",
  "LoggingProfiles": {
    "production": {
      "RequiredFields": [
        "timestamp",
        "message",
        "correlationId"
      ],
      "DisallowedFields": [
        "ssn",
        "creditCard",
        "password"
      ],
      "FieldSeverities": {
        "password": "Forbidden"
      }
    }
  }
}
$ dotnet build — CI validation
$ dotnet build

✗ CerbiStream.GovernanceAnalyzer findings:
  [CS-GOV-001] Missing required field: correlationId
  [CS-GOV-002] Disallowed field detected: password

(Diagnostics depend on your governance profile.
Fail-fast in CI/CD before policy drift ships.)

Install via NuGet

dotnet add package CerbiStream
CerbiStreamCerbi.MEL.GovernanceCerbi.Serilog.Governance

Manage governance with CerbiShield

CerbiStream enforces policy in the application. CerbiShield is the dashboard that manages profiles, tracks violations, and controls deployments across environments.

Explore CerbiShield

Add governance to your .NET logging in minutes.

CerbiStream is open source (MIT) and available on NuGet. Works with your existing stack. No pipeline migration.

Get from NuGetBook a Demo